Please sign in to comment.
Fix incorrect length check in `DNSName` when extracting qtype or qclass
In `DNSName::packetParser()`, the length check might have been incorrect when the caller asked for the `qtype` and/or the `qclass` to be extracted. The `pos + labellen + 2 > end` check was wrong because `pos` might have already been incremented by `labellen`. There are 3 ways to exit the main loop: * `labellen` is 0, the most common case, and in that case the check is valid * `pos >= end`, meaning that `pos + labellen + 2 > end` will be true regardless of the value of `labellen` since it cannot be negative * if `uncompress` is set and a compressed label is found, the main loop is broken out of, and `labellen` still holds a now irrelevant, possibly non-zero value corresponding to the first byte of the compressed label length & ~0xc0. In that last case, if the compressed label points to a position > 255 the check is wrong and might have rejected a valid packet. A quick look throught the code didn't show any place where we request decompression and ask for `qtype` and/or `qclass` in a response, but I might have missed one. Reported by Houssam El Hajoui (thanks!). (cherry picked from commit 7b9c052)
- Loading branch information...
Showing with 43 additions and 4 deletions.